Libvirt Driver File Disclosure Vulnerability in OpenStack Compute
CVE-2016-2140

5.3MEDIUM

Key Information:

Vendor

Openstack
Status
Nova
Vendor
CVE Published:
12 April 2016

What is CVE-2016-2140?

A security vulnerability exists in the libvirt driver of OpenStack Compute (Nova) affecting versions prior to 2015.1.4 and 12.0.x before 12.0.3. When raw storage is utilized and the 'use_cow_images' option is set to false, remote authenticated users may exploit this flaw to read arbitrary files through a specially crafted qcow2 header in ephemeral or root disk. This could lead to unauthorized access to sensitive information, posing risks to data confidentiality in OpenStack environments.

References

https://bugs.launchpad.net/nova/+bug/1548450
x_refsource_CONFIRM
https://security.openstack.org/ossa/OSSA-2016-007.html
x_refsource_CONFIRM
http://www.securityfocus.com/bid/84277
vdb-entryx_refsource_BID

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.